The malware challenge

[Antrax]

I'm normally pretty adept at removing malware, but over the last couple of days I'm struggling with what seems to be God himself trying to phish me into buying fake anti virus programs. Because this is my work computer, I trusted work to handle updates and the such, but it seems there were multiple attack surfaces: old version of adobe reader plugin vulnerable to XSS and old versions of java vulnerable to an attack on java update. So, we can assume anything could've gotten in, as both allow remote code execution.
The current symptoms are as follows: booting into safe mode results in blue screen (PFN_LIST_CORRUPT) while normal boot works just file. Google search results that lead to sites that have keywords like "trojan" redirect to fake "buy my antivirus software". Using a VPN to connect to Intel's network eliminates this problem. Also, both browsers (IE and FF) crash randomly and fairly often if I'm not inside the VPN. For FF, running it in safe mode makes the crash problem disappear, but not the search hijack problem.

HijackThis, MWBAM, AAW, RAPIER and the Symantec crap find nothing wrong. Sysinternals rootkit revealer found a suspicious regkey for Software\IE\SearchScope that I eliminated, but that didn't change anything. MWBAM full scan, gmer and combofix all end in blue screen (IRQL_NOT_LESS_etc) which is most likely the result of my being unable to disable the McAfee antivirus on this computer (standard Intel IT build, requires a password I don't have).

So, ideas? I'm actually desperate enough to turn the computer to the notebook lab on Sunday and let them have a shot, but there are very low odds anyone there knows something I don't, so they're just likely to install Windows 7 (which I've been avoiding doing) as a "fix".
_________________
After years of disappointment with get rich quick schemes, I know I'm gonna get rich with this scheme. And quick!

[Death Mage]

You have, of course, run it through the free on-line virus scan at Trend Micro (or attempted to)? Or tried Microsoft's version?

Might not work, but they don't cost.
_________________
* These senseless ramblings brought to you by Insanity™. If you just can't figure the dang thing out, it must be Insanity™.
[YOUR AD HERE!]

[wordcross]

I had a problem very similar to this a while back. I fixed it temporarily by running about five different adware/malware scans and trying a couple of different virus programs (AdAware, Spybot, McAfee, Avast, etc.) and a registry fixer I found via googling one of the popups (from another computer). My laptop seemed fixed for about 2 weeks before I saw more symptoms (even with new virus/malware protection). I ended up wiping and doing a clean install.
_________________
Has anyone really been far even as decided to use even go want to do look more like?

[Chaz]

Get Autoruns.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Find the likely culprit--I usually Google anything I don't recognize.

Be careful with drivers... they're rarely mal-ware (though I have seen that happen, especially if your model is very popular)... if you get into a blue-screen on boot, try "Last Known Good Configuration."

After you've removed everything that seems suspect, find "refresh" (either in file, edit or view) and refresh it. Watch for stuff to "recheck" itself.

If something just won't go away, I hook the hdd up to another computer (a linux boot disc would also work) and manually delete the file(s) that are causing the problem--and by "delete", I mean "rename and move somewhere safe."

This methodology has only failed me once.
_________________
The enemy's base is down.

[jesternl]

What if you run IE without addons, still crashes/redirects?
Anyinthing in IE LAN settings ==> proxy server?
check C:\WINDOWS\system32\drivers\etc\hosts as well for any funky entries

[Chaz]

[Antrax]

Autoruns is good, never heard of it. Anyway, running some more stuff showed a pretty severe trojan infection, while fixing it I got a blue screen about winlogon.exe access violation and that's all my computer wrote. I'm officially giving up and giving it to the NB lab.
_________________
After years of disappointment with get rich quick schemes, I know I'm gonna get rich with this scheme. And quick!

[Chaz]

Probably for the best. Seriously, Windows 7 is a lot better.

Also, system file checker is probably what you're looking for next if you just can't admit defeat and winlogin.exe is hosed..
_________________
The enemy's base is down.

[Logain]

You should post the following to help:
a list of the running processes tab under Windows Task manager.
a list of what's in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run from regedit

[Antrax]

Thanks Logain, but a) it's much too late for that and b) Those steps I've actually already gone through. I'm not inexperienced with malware, this is just the first trojan I see to use these techniques (disable safe mode and manage to bypass rootkit revealers)
_________________
After years of disappointment with get rich quick schemes, I know I'm gonna get rich with this scheme. And quick!

[Suspence]

Turning to the GL for help. My PC seems to have gotten a virus, which I've always been able to kill in the past using RKill and Malwarebytes. This time around, no such luck. Symptoms:

1) All google links redirect to 2dayoftheweek.com (though the URL appears correct, the page I am actually brought to is not). As long as I type the URL in, it works fine, as do all non-Google links I've tried

2) All malware programs are shut down very shortly after they start, including RKill, Malwarebytes AntiMalware, AdAware and a host of others. In addition, the link to these programs no longer work after they are shut down, so I need to re-download them to try again.

3) Command Prompt is disabled.

I've searched for solutions everywhere, but have hit dead ends for 2 days straight. Any help?
_________________
I hate people who try to write interesting things in their signature.

[extropalopakettle]

[Suspence]

I've also run TDSS Killer that many of those threads recommend, however like all the other malware programs I've run, it quickly gets killed off.
_________________
I hate people who try to write interesting things in their signature.

[extropalopakettle]

[extropalopakettle]

Spybot (and I'd imagine other malware removal tools) has a bootable CD, but it's not free: http://www.safer-networking.org/en/bootablecd/index.html

I'd imagine you might need such a thing (boot from CD, so no malware on hard drive has a chance to be active), but this thing sounds like it's new enough that I wouldn't be sure what yet knows how to deal with it.

[extropalopakettle]

Maybe this? http://www.ubcd4win.com/index.htm

[Suspence]

No luck with that either.
_________________
I hate people who try to write interesting things in their signature.

[Sessie]

Are you able to boot into safe mode? Can you get a HijackThis log?

You could also try Avast (www.avast.com)...when you install it, you have the option to run a full scan at bootup, before your OS starts. That's another option, maybe the malware won't be able to catch it at that point.

Scratch that last bit...apparently you no longer have that option with Avast. Blah.
_________________
"I have an everyday religion that works for me: love yourself first, and everything else falls into line." --Lucille Ball

[Suspence]

I am able to boot into Safe Mode, but experience all the same issues. As for HijackThis, I downloaded, installed, and ran.

As with everything else, it began to scan, closed down after a few seconds, and the program is no longer accessible (Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access this file)
_________________
I hate people who try to write interesting things in their signature.

[Sessie]

Hmm...it's tough to say without seeing it. I'm with extro on the bootable CD being your best bet as far as attacking this thing...the problem is how to create the CD when it kills everything you try to do. I don't suppose you've got another computer handy to create a UBCD?
_________________
"I have an everyday religion that works for me: love yourself first, and everything else falls into line." --Lucille Ball

[MNOWAX]

I hate to say this mainly because its is a program that is very dangerous to work with, but you can use something called ComboFix.

This is a program to be used as a last resort only, and if you can not find any other way of defusing it. This program will supersede most anything out there, and you should be able to run it in safe mode without a problem. download a clean copy of it, and use a flash drive to bring it to the infected pc, and run it. It is a one time use program only, so if for some reason it doesn't work, you will have to download another copy and start again.

Good luck to you!
_________________
The Man The Myth The Legend
MNOWAX

[Antrax]

Before combofix, some sillier things:
a) Have you tried renaming the executable for these (hijackthis, anti-spyware of all sorts) programs before running them?
b) Does "msconfig" work? Does regedit?
c) Can you run "services.msc" and disable services?
d) Did you have system restore on before this happened?
_________________
After years of disappointment with get rich quick schemes, I know I'm gonna get rich with this scheme. And quick!

[Suspence]

I found an old Kaspersky iso file and used it as a bootable disc, which seemed to work except for the fact that it was too old. I'd need something current to run a scan as a bootable disc.

I believe I tried combofix as well, though not by downloading it on a clean computer so I can look into that.

As to Ant's questions:

a) Have you tried renaming the executable for these (hijackthis, anti-spyware of all sorts) programs before running them?

Yes, no dice. Same thing happens. Another symptom I've noticed is that these exe files I've downloaded can't be deleted from my desktop (or renamed, etc) once the virus has killed the program.

b) Does "msconfig" work? Does regedit?

Yes and yes.

c) Can you run "services.msc" and disable services?

Yes, but I'm not sure what to disable.

d) Did you have system restore on before this happened?

Nope.
_________________
I hate people who try to write interesting things in their signature.

[Antrax]

Well, I believe Alvira have a bootable CD you can download: https://www.avira.com/en/support-download-avira-antivir-rescue-system
And I think I heard AVG has one as well - http://www.avg.com/us-en/download-file-cd-arl-iso

In "msconfig" you have a services tab, and there you can check "hide Windows services". See if anything stands out from what remains.
BTW, can you run sysinternals rootkit revealer?
_________________
After years of disappointment with get rich quick schemes, I know I'm gonna get rich with this scheme. And quick!

[Suspence]

I tried the Avira rescue CD last night as well. It gave me a picture of 4 Linux penguins, then everything went dark and nothing seemed to ever happen.
_________________
I hate people who try to write interesting things in their signature.

[Poisonium]

There's also this Knoppix derivative: http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd/
I haven't tested it though.
_________________
I tried apt-get install lifebut it only returned E: Couldn't find package life

[MatthewV]

Couldn't you just get your personal files off the computer and do a complete reinstall?

[Suspence]

Since it was a work laptop, I ultimately surrendered and turned it over to IT. 36 hours later, all is good with the world. Thanks for the suggestions...
_________________
I hate people who try to write interesting things in their signature.

[Antrax]

That's no fun They probably just ghosted it or something.
_________________
After years of disappointment with get rich quick schemes, I know I'm gonna get rich with this scheme. And quick!

[Sniklac16]

Try using malwarebytes, it's a really good program and it's free to download and use. I've used it several times and it's saved my computer a couple times
_________________
What lies behind us and what lies before us are tiny matters compared to what lies within us.

[Suspence]

Agreed that Malwarebytes works really well typically, but that was one of the symptoms of whatever I had (see post 11). All anti-virus and anti-malware scans were being killed immediately.
_________________
I hate people who try to write interesting things in their signature.

[MatthewV]

So what did you do to get this malware?? As it was a work computer, hopefully it wasn't a random p0rn site...

[Samadhi]

Now if it were pseudo random, carry on.
_________________
And he lived happily ever after. Except for the dieing at the end and the heartbreak in between.